Trust the system root CA certificates

[FranklinYu]

Do you want to request a feature or report a bug?
Feature

For most operating system there is a system trust store to store root CA certificates. In Linux that is managed by OpenSSL; in macOS it is Keychain; in Windows it is the system trust store managed by CertMgr. In many corporation, the system trust stores of computers are managed by Group Policy or some similar product. This way new root certificate can be deployed by administrator centrally. Currently if I want Yarn to trust internal Git source with HTTPS protocol, I need the cafile option, and I need to duplicate the entire trust store because this option overrides default trust store. It would be awesome if Yarn automatically trust the root CA certificates in system trust store.

It can be opt-in. Also I know nothing about internal implementation of Yarn; if this is deferred to npm internally, I would instead report this to npm.

[FranklinYu]

I assume that most users complaining in #841 (maybe even #6199) would benefit from this feature. Node.js already did something similar in nodejs/node#3159.

[Kielan]

For those developers who are unfamiliar with how the cafile option can be used to trust the Keychain CA Certs how is this done on yarn install @FranklinYu ?

[FranklinYu]

@Kielan It’s the same as NPM; place the CA bundle in your local filesystem, and set cafile to its path.

[nbarbettini]

This seems like a much better solution to what most users are running into in #841. Disabling SSL checks makes me sad.

@FranklinYu @kaylie-alexa Any idea when this might be available?

[FranklinYu]

@nbarbettini It’s not up to me to decide, and I have no idea whether this would even be implemented. @kaylie-alexa doesn’t seem interested, neither do other Yarn team members. I have just created a similar feature request to NPM and let’s see which team cares more about this.

I’m currently working in security, and most people don’t care about security. This is the reality. I myself don’t really care, otherwise I would have spent weeks to make a PR myself.

[Daniel15]

Does Node.js not do this out of the box? Some investigation as to what other Node.js apps do would be appreciated here 😃

[FranklinYu]

@Daniel15 Node.js currently supports system OpenSSL bundle, but not Windows CertMgr or macOS Keychain. See nodejs/node#3159 I referred above.

[Daniel15]

To me, it seems like it'd be better to change this in Node.js itself, rather than doing something special in Yarn specifically...

[FranklinYu]

@Daniel15 Is Yarn using the Node.js TLS package? If so, setting environment variable NODE_OPTIONS=--use-openssl-ca should do the trick. I’ll check this in Linux when I’m available.

[Daniel15]

Yarn uses whatever version of Node.js you have installed.

[cben]

Works for me on Fedora linux with or without NODE_OPTIONS=--use-openssl-ca.
Like many linux distros, Fedora builds Node defaulting to that, as distros like centralized way to update trusted CAs for all apps).

The critical trick is not setting ca or cafile in any way. Not in any .yarnrc, not in .npmrc, not by npm_config_cafile env var. (Use yarn config list to confirm the configuration in effect.)
If you set ca or cafile, yarn passes explicit TLS config to Node, overriding the defaults — so only the CA(s) you provided will be trusted.

Instead, if you want to add a trusted cert on top of the system's CAs, I believe NODE_EXTRA_CA_CERTS env var will help (untested, as the cert I needed was already in the system's trust).